next up previous contents index
Next: FTP and telnet Up: Firewalls Previous: Firewalls   Contents   Index


ipchains

ipchains is the easiest of the two to get working, infact your system is setup to work with ipchains by default. There are many tools to configure ipchains, I will start with the least powerful and move to the most powerful.

lokkit is the firewall tool that comes with the installation GUI. You can start it from the shell by typing:

bash# lokkit

You can also start it from the setup menu mentioned in Chapter 7 by typing:

bash# setup

After lokkit you have firewall-config. This one must be run from a GUI. That is the biggest drawback from this utility. If you are in X you can start this command from a terminal window by typing:

bash# firewall-config

The last and most powerful program is emacs (or vi). You can edit and create your own firewall rules by typing:

bash# emacs /etc/sysconfig/ipchains

In this emacs session you can custom create your own firewall rules. Here are some example rules:

-A input -s 0.0.0.0/0 -d 0.0.0.0/0 111:111 -p 6 -j REJECT -l
-A input -s 0.0.0.0/0 -d 0.0.0.0/0 67:69 -i eth0 -p 17 -j DENY
-A forward -s 10.0.0.0/8 -d 0.0.0.0/0 -j MASQ

In the above examples the -A input tells where the packet came from and what it is doing. -s is the source ip/mask. -d is the destination ip/mask. 111:111 is a port range. -i eth0 refers to the network interface. -p refers to the protocal. Protocols are listed in the /etc/protocol file. -j DENY is the action that the rule is to take.

The first rule tells all computers that try to connect to tcp port 111 that the port is closed and logs the event. The second rule ignores all computers trying to connect to udp ports 67 to 69. The last rule forwards and masqurades all packets coming from the 10.x.x.x range to the servers own ip address and sends them on their way. In order for the third rule to work you also need to have routing enabled. This is talked about a little bit more in Chapter 10.


next up previous contents index
Next: FTP and telnet Up: Firewalls Previous: Firewalls   Contents   Index
Joseph Colton 2002-09-24